Product URLs

CVSSv3 Score

Details

This vulnerability is present in the AntennaHouse DMC HTMLFilter which is used among others to convert doc files to (x)html form. This product is mainly used by MarkLogic for doc document conversions as part of their web based document search and rendering engine. A specially crafted DOC file can lead to an heap corruption and ultimately to remote code execution.

Let’s investigate this vulnerability. After execution the doc to html converter with malformed doc file as an input we can easily observe a couple of flaws using Valgrind:

We see in the first couple lines of the Valgrind output thatthe Doc_GetFontTable function argument passed to malloc is equal to 0:

`Address 0x4351ce8 is 0 bytes after a block of size 0 alloc'd`

That’s the root cause of these OOB writes that we could observe above. Ok, we know where the problem is, let’s take a glance at the pseudo code of this function and investigate the origin of the malloc argument.

At line 57, the first DWORD from this buffer is read and assigned to the a1->dword38A4 field. Next at line 59, the value of that field is used as an argument to malloc.

From the buffer dump we can see that the first DWORD is equal 0. That explains everything: the value from the file is passed directly as an argument to malloc.

In our case it’s equal 0 which causes the result of the multiplication to also be 0. This is not the only bad scenario: this could also lead to an integer overflow,
leading to the same results which is heap corruption.

Let’s see how many bytes are available in a buffer malloced with the argument 0.

So that means we have 0x14 bytes available for use.
From line 64 to line 79 we see a while loop with a lot of writes into a1->fontTable.
The range of these write operations is much bigger than the allocated buffer capacity which leads to heap corruption.